<?php


class Okute_Controller_Plugin_Security extends Zend_Controller_Plugin_Abstract
{
    public function routeStartup(Zend_Controller_Request_Abstract $request)
    {
        $session = new Zend_Session_Namespace('okute');
    	
    	// CSRF対策
    	if ($request->getMethod() === 'POST') {
    		$csrf = $request->getPost('csrf');
	    	if ($session->csrf === null || $session->csrf !== $csrf) {
	    		throw new Okute_Exception('CSRF attack');
	    	}
    	}
   	    	
    	$viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper(
            'ViewRenderer'
        );
        
        $session->csrf = sha1(microtime());
    	$viewRenderer->view->csrf = $session->csrf;
    }
}